i think it will be useful to u my friends !!!!!!!

1. SECURITY MODEL EVALUATION OF 3G
WIRELESS NETWORKS
MERCY J ABINAYA K
B TECH-II , IT B TECH-II , IT
B S ABDUR RAHMAN UNIVERSITY B S ABDUR RAHMAN UNIVERSITY
smartgalmercy@yahoo.com abisweet93@gmail.com
generations of systems can be distinguished by their
ABTRACT throughput capabilities: 2G networks provide
throughput between 9.6 and 144 kb/ s, while 3G
Third generation mobile phone networks (2G) are networks provide between 384 kb/s and 20 Mb/s . 3G
currently the most widely used wireless telephone are more than just phone networks – the standards
networks in the world. While being an improvement reflect the need for ubiquitous computing and link
over earlier analog systems, active acts, telephony, multimedia, high-speed wide area
authentication, encryption, channel hijack, networking, Internet, and hardware and software to
inflexibility.Third generation mobile phone standards support it. The technologies involved evolved over
(3G) have been designed to address those issues and past two decades and while maintaining the required
provide a better security model.. To provide compatibility had to assimilate the systems which
background, this paper presents an overview of were designed without strong security considerations,
security in 3G networks along with pointing out the vulnerable to many types of attacks. How vulnerable
known problems. Then, security features of 3G are 3G systems? This is the main question of this
systems are presented and solved .Finally, 3G research. To answer this main question, the first three
security model is evaluated according to availability generations of mobile phone networks are surveyed
confidentiality- integrity framework. with focus on security. Corresponding security-
related protocols and their known weaknesses are
Keywords – 3G security, mobile phone networks, reviewed and discussed. The merit of this paper is
UMTS, CDMA2000, GSM, cdmaOne two-fold: first, it presents a survey of modern mobile
phone technology from a security perspective;
1.INTRODUCTION second, it evaluates 3G systems‟ security within the
view of availability-confidentiality-integrity
A recent (Q1 2007) market research by GSMA – a framework. This paper is organized as follows: first,
global trade organization of 700 mobile phone related work is described; then the background
operators and 200 manufacturers and vendors from section gives an overview of earlier generations of
218 countries – reported 2.8 billion worldwide mobile phone technologies; after that, the section on
subscribers. Wireless telephony is part of daily life 3G systems looks at UMTS and CDMA2000
for almost every third human, and the security of standards. The paper concludes with the discussion of
information exchanged through it has a direct impact security model of 3G systems. Due to the complexity
on our personal security as well as the security of of 3G internetworking the following is a brief survey
society as a whole – mobile phone security is an of 3G security – comprehensive analysis of the
important issue. This paper presents the results of subject is beyond the scope of this paper.
research on security in mobile telephone networks
with focus on the newest technologies/standards in 2. RELATED WORK
use today: GSM, cdmaOne, UMTS, and CDMA2000,
together amounting to over 90% of worldwide mobile A significant amount of research was and continues
phone coverage (GSMA data). Most recent of them – to be devoted to mobile phone systems‟ security:
UMTS and CDMA2000 – belong to a set of wireless integral components as well as complete systems are
network standards known as 3G, third generation described and analyzed. In addition to component
mobile telecommunication standards, which replaced specifications, very relevant to this paper are the
or are replacing the older 2G networks. These two cryptanalyses of various algorithms used in mobile
phone systems and the overviews of different mobile
phone systems. This work takes a systems overview

2. approach; along the same line, perhaps the best provide elementary mobile phone network
security overview of a mobile phone system is “GSM functionality, however a few additional elements are
Interception” by Lauri Personen; another useful normally used to support more than just basic
sources are sections on security in such books as “3G features Home location registers (HLRs) store
networks as GSM, cdmaOne and 3G Systems” by information about subscribers – at the very least the
Steele, Lee, and Gould, and “WCDMA and type of service supported and current location of each
cdma2000 for 3G Mobile Networks” by Karim and user. When a user enters a cell this information is
Sarraff. A work similar to this, but with focus on copied to the respective visitor location register
CDMA2000 standard is “State-of-the-art on (VLR) for efficiency purposes. Each VLR may
CDMA2000 Security Support” by Luuk control one or more cells. When a subscriber leaves
Weltevreden; another works that touch on the same the area controlled by a VLR their information is
topic of 3G security are “UMTS Security” by Boman, moved to the new VLR. When a cellular network
Horn, Howard, and Niemi focusing on UMTS, supports security features, the necessary information
“Evaluation of UMTS security architecture and is stored in authentication center (AuC).
services” by Bais, Penzhorn, Palensky giving an Additionally, equipment identity register (EIR) may
overview along with a look on how some of the be used to track MSs Using the terminology
potential threats are addressed, and “Access Security presented above it is possible to look at early mobile
in CDMA2000, Including a Comparison with UMTS phone systems‟ security.
Access Security” by Koien and Rose which
concentrates on authentication, encryption and
integrity-checking in 3G systems.
3.BACKGROUND
This section provides an overview of the architecture
and security aspects of mobile phone systems that
preceded 3G.
3.1 Mobile Phone Network Architecture
Despite existence of many different types of mobile
phone networks, they all share some basic
components necessary to provide elementary
functionality. This subsection describes these
components and introduces the associated 3.2 1G Analog Networks
terminology. The first mobile phone network
component that a user comes in contact with is a First cellular telephone systems available on the
mobile phone typically referred to as mobile station market were deployed in early 1980s. Before then
(MS). MS communicates with the rest of the network radio telephony was used for communication by
via a radio link to the nearest base station (BS), governments and militaries since 1940s, however the
essentially an antenna with electronics and power invention of efficient handover mechanisms, which
equipment to support it; area covered by a single BS allowed moving from one cell to another, enabled
is referred to as cell. The link between MS and BS mobile phone technology to be introduced to
consists of one or more traffic channels and one or consumers. The MSs in 1G systems transmitted radio
more signaling channels. Traffic channels carry signals inclear using FM over UHF [16]. The only
subscriber-generated data, while signaling channels security feature was authentication of an MS when
are used to transmit communication control data such initiating roaming – using a network of a given
as the MS location information, paging data to the provider – by checking the MS identification number
MS in case of incoming call, network access-related and the subscriber identification number against
data in case of call origination, and other network and HLR. The security belief was that the price and
operator-dependent information. BSs in turn are complexity of equipment needed to receive and
connected to mobile switching centers (MSCs), create such transmissions was prohibitive for an
usually via dedicated non-radio links. MSCs, intruder. This assumption was wrong, and resulted in
similarly to switches in land-line telephone networks, extensive exploits of 1G systems. Two major issues
are mainly concerned with routing data. MSs, BSs, were eavesdropping on conversations and phone
and MSCs are essentially all that is necessary to cloning. Eavesdropping could be accomplished by

3. simply picking up the FM signa ls using a radio
scanner tuned to UHF; phone cloning involved
eavesdropping on authentication exchange between
MS and the network and then reproducing that
exchange from another MS to gain fraudulent access
to the network
3.3 2G Digital Networks – GSM
By mid-1980s the deployed disparate 1G networks in
Europe began approaching their capacity limits and
an international coordinating body – Groupe Special
Mobile (GSM) – was created to develop a new
unified mobile phone system specification. It was 3.3.2 GSM Security Features
required to support greater number of users, similar
or lower operating costs, similar or better speech GSM networks provide a security enhancement over
quality, and be able to coexist with older analog 1G by authenticating users and supporting
systems. To achieve these goals GSM committee confidentiality and anonymity features. However, the
selected TDMA over UHF, a digital multiplexing related algorithms initially weren‟t open for
technique which allowed a more economic and community review, which caused some serious flaws
efficient use of UHF frequencies [26]. Based on to be overlooked. Eventually GSM security
previous experience with 1G networks, security- algorithms leaked and their flaws were discovered
related design goals of GSM were prevention of GSM security model is based on a 128-bit shared
phone cloning and making mobile phone secret Ki between the subscriber‟s SIM and the
conversations no more vulnerable to eavesdropping network – if that key is compromised, the entire
than fixed phones. The standard addressed these account is compromised. When a MS first enters the
stipulations by providing authentication, area of coverage of the network, HLR and AuC
confidentiality, and anonymity features Next provide the appropriate MSC with five triplets each
subsection describes the network elements that were containing 128-bit RAND, 32-bit SRES, and 64-bit
added in GSM system to support the above security Kc. RAND is a random challenge used for
features, and the section following next describes authentication, SRES (signed response) is the
these features and their security in detail. expected response to that challenge based on RAND
and subscriber‟s Ki, Kc is the session key also based
3.3.1 GSM Network Architecture on RAND and Ki. Each triplet is used for one
authentication, and after all the triplets have been
Perhaps the single most important GSM innovation is used up, the MSC is provided with another set of five
subscriber identity module (SIM) – a removable Authentication is the first line of defense in GSM: it
smart card which contains the identification and allows subscribers to use the network and establishes
securityrelated information the subscriber needs to the encryption, if any. Authentication in GSM
use the network. Typically users are identified by proceeds as follows: MS receives the RAND from
their phone number, and use of SIMs enables MSC, calculates the SRES with A3 algorithm using
decoupling of subscriber identities from the MSs and RAND and Ki, and sends it back to MSC. If SRES
allows switching MSs while keeping the number. On matches the one stored at After the standard was
the network side, AuC provides authentication and developed, Groupe Special Mobile was merged into
encryption functions. AuC and SIMs are European Telecommunications Standards Institute
complimentary units in security sense - their (ETSI) and GSM has been renamed „Global System
authentication and encryption algorithms and for Mobile Communications‟ MSC, the
associated keys ultimately have to match for authentication succeeds and the corresponding Kc is
successful communication. used to encrypt further over-the-air communications
between MS and BS/MSC. According to GSM
recommendation, most network operators use
COMP128 algorithm for A3 implementation.
COMP128 produces 128-bit output given two 128-
bit inputs (in case of A3 those are Ki and RAND);
SRES is the first 32 bits of that output [13]. In 1998
ISAAC researchers demonstrated that COMP128 can

4. be broken with chosen-challenge attack: repeatedly similar CDMA built-in physical layer security
querying SIM about 150,000 times with specially- properties. UMTS, as CDMA2000, uses varied size
chosen RANDs and analyzing the resulting SRES Walsh codes for generation of channeling codes to
outputs reveals Ki. Querying SIM can be allow for adjusting throughput on channels
accomplished using an off-the-shelf smart card reader depending on network traffic; the size of Walsh
in about 8 hours as well as over the air in a longer, codes varies from 4 to 256 bits. A more significant
but not prohibitively long period of time (up to 13 security impact, as in cdmaOne, has the scrambling
hours due to radio communication latency). Gaining key which can be also varied in length to change
knowledge of Ki effectively means cloning a SIM bandwidth on the link between MS and the network
and allows the attacker to eavesdrop on conversations based on network congestion. Maximum length of
as well as make calls billed to the SIM‟s owner. the scrambling key on both UMTS and CDMA2000
Although GSM has a mechanism that detects is 42-bits.
duplicate active SIMs thus alleviating the fraudulent
billing problem, eavesdropping is still an open issue.
However, an attacker may not even need to break any
algorithms to eavesdrop on a conversation: since only
the radio link between MS and BS is encrypted, a
wiretap on the operator‟s network past the BS gives
instant access to all data going through . One last
point to make about GSM security is the fact that its
anonymity feature is somewhat inadequate. In an
effort to prevent anyone knowing the subscriber‟s The attack by Li, Ling, and Ren described in
identity (essentially their phone number) from subsection on physical layer security of cdmaOne
eavesdropping on that subscriber and determining networks is applicable to UMTS and CDMA2000;
their location, temporary identities are used during it has the same time complexity on CDMA2000 since
communication between a MS and the network. A the same characteristic polynomials are used as in
temporary identity is assigned to each MS when it is cdmaOne, and on UMTS it actually has lower
authenticated. However, the network can request the complexity due to dependencies among LFSRs used
MS to send to generate the scrambling key. Li, Ling, and Ren
the real identity of its user at any time and that suggest using AES for secure scrambling; this
information is then transfered in the clear over the however has not been implemented [19, 24, 27].
operator‟s network. Additionally, a rogue base station Overall, however, the transmission over air is
canexploit that part of the protocol to retrieve the real reasonably secured to protect from casual
identity of a user . A more adequate anonymity eavesdropping.
provision would be never to send the true identity of
a subscriber over an unencrypted or unauthenticated
channel . This section provided an overview of GSM, 4.1.2 Network Domain Security
the system currently used by 80% of worldwide
mobile phone users (Q1 2007 GSMA data), and Network domain security in UMTS and CDMA2000
pointed out some of its known security problems. The networks relates to communication on and among
next section surveys another widely deployed 2G operators‟ networks. A serious vulnerability of 2G
system – cdmaOne. networks is the absence of network domain security
mechanisms – at the time of their design it was
4.1 3G Mobile Telecommunication Networks – believed that limited access to core switching
UMTS, CDMA2000 networks would provide sufficient protection. This
situation is changing with the advent of 3G systems
UMTS and CDMA2000 specifications are developed as more and more operators enter market.
by separate, but collaborating organizations - Third Additionally, operators turn to IP-based
Generation Partnership Project (3GPP) and Third communication on networks instead of Signaling
Generation Partnership Project 2 (3GPP2) System 7 (SS7) –based Mobile Application Part
respectively. The standards developed by 3GPP and (MAP) protocol or IS41-based protocols of earlier
3GPP2 share a lot in common – that is not surprising mobile telecommunication systems. The network
given the fact that the systems have to coexist and domain standardization is necessary in order to
cooperate to provide roaming services. A major shift achieve interoperability among different operators‟
from 2G is the use of CDMA multiplexing across networks.
both systems. That means that the two systems share

5. no support for non-repudiation and no clear access
control model. So how secure are 3G systems?
Availability-integrity-confidentiality framework
may provide a useful tool in answering that question,
which can be restated as how well the key security
objectives of availability, integrity, and
confidentiality are metby 3G telecommunications
networks. Availability is critical for 3G: aside from
the fact that an increasing number of emergency calls
is placed from mobile phones [GSMA], availability
underpins the other two security objectives. 3G
addresses the availability concerns by authenticating
users and securing operators‟ networks. AKA is
considered to be secure with the algorithms used by
UMTS and CDMA2000. IP-based operator
network, on the other hand, is not and IPsec use isn‟t
mandatory. This can be a potential vulnerability and
IP-based DDoS attacks on 3G operator networks may
prove to be real threats. Confidentiality, perhaps the
Two models address network domain security: best achieved objective of the three, is, nonetheless,
MAPsec and IPsec. MAPsec provides a security not completely realized – it is possible to gain
wrapper for earlier-generation MAP messages. It can improper access to information on 3G networks by
operate in three modes: no protection, integrity exploiting AKA compatibility with GSM
protection only, and encryption authentication. As mentioned in subsection on GSM
with integrity protection. MAPsec uses 128-bit security features, Barkan, Biham, and Keller showed
Rijndael algorithm: in counter mode for encryption how an instant ciphertext only attack can be used to
and in cipher block chaining message authentication recover the session key on GSM networks and
code mode for integrity protection . IPsec is a consequently on 3G. Another possible attack may
security protocol suite for secure communication involve eavesdropping on IMSI transmission when
over IP networks; it can be used to secure TMSI is unavailable and MSC requests IMSI to be
communication over an IP-based 3G operator sent in the clear. IMSI can also be retrieved by an
network. Standards specify the use of Rijndael attacker who gained access to the operators‟ network.
algorithm for encryption, which is, as In other words, despite theuse of strong encryption
mentioned before, considered to be cryptographically provided by 128-bit keys and Rijndael,
secure. IPsec and MAPsec use Internet Key confidentiality objective isn‟t fully reached on 3G
Exchange protocol for key distribution. To sum up, networks. Integrity option in 3G is only provided for
3G standards enable network operators to use signaling channels - this objective is perhaps the least
MAPsec or IPsec to provide network domain achieved in availability-confidentiality-integrity
protection – the use of those protocols, however, isn‟t framework. To sum up, from the point of view of
mandatory availability-confidentiality-integrity framework, 3G
systems aren‟t secure. Having said that, 3G systems
are also very open and perhaps do not require high
5.TELECOMMUNICATION SECURITY levels of security – sensitive applications may be
EVALUATION better off implementing necessary security features
themselves according to theend-to-end principle;
Previous section gave a brief overview of 3G security additionally, due to severe hardware constraints of
features. Despite a somewhat blurry security the least common denominator on the 3G network – a
requirements set out by ITU for 3G, the security of basic cell phone – the more advanced security
the system is a definite improvement over 2G: phone features – for example longer keys, digital signatures,
cloning and eavesdropping are much harder to carry public keys, key escrow for legitimate
out due to the use of longer keys and more secure eavesdropping, or RBAC – aren‟t yet practical.
algorithms; rogue base station attacks are countered Overall, 3G development is a step in the right
with the mutual authentication; rogue shell attacks direction: only collaborative, evolving, open
are handled by USIM authentication in CDMA2000. standards can provide adequate security for such a
Despite addressing all ITUs requirements, not all the large and diverse system.
expected security mechanisms are in place: there is

6. 6.CONCLUSION [11]3G TS 33.120 Security Principles and Objectives
http://www.3gpp.org/ftp/tsg_sa/WG3_Security/_Spec
This paper presented a survey of three generations of s/33120-300.pdf
mobile phone systems from a security perspective.
3G networks‟ standards were evaluated within [12]3G TS 33.120 Security Threats and
availability confidentiality- integrity framework and Requirementshttp://www.arib.or.jp/IMT-2011/ARIB-
found to not be secure. This fact, however, should be spec/ARIB/21133-310.PDF
considered with realization that mobile phone [13]Michael Walker “On the Security of 3GPP
systems first and foremost need to provide Networks”http://www.esat.kuleuven.ac.be/cosic/euro
telecommunication service to their subscribers and crypt2000/mike_walker.pdf
have certain limitations that prevent them from
achieving higher levels of security. Finally, some [14]Redl, Weber, Oliphant “An Introduction to
limitations of this work are: omission of discussion of GSM”Artech House, 2010Joachim Tisal
currently deployed 2.5G/2.75G systems (for example
EDGE, GPRS) – the security aspects of these [15]“GSM Cellular Radio Telephony”John Wiley &
systems, however, are closely related to their 2G
Sons, 2009
predecessors;some the protocols/algorithms/attacks
mentioned haven‟t been analyzed in much depth;
[16]Lauri Pesonen “GSM Interception”
finally, there is no experimental data supporting the
claim that 3G systems aren‟t secure. Future work can
http://www.dia.unisa.it/ads.dir/corso-
be geared toward filling those gaps.
security/www/CORSO-9900/a5/Netsec/netsec.html
7.REERENCES
[17]3G TR 33.900 A Guide to 3rd Generation
[1] 3GPP, 2010. TS 35.202 V7 (Specification of Securityftp://ftp.3gpp.org/TSG_SA/WG3_Security/_
KASUMI). Specs/33900-120.pdf
[2] 3GPP, 2010. TS 35.206 V7 (Specification of
MILENAGE). [18]3G TS 33.102 Security Architecture
[3] Rose, G., Koien, G., 2009. Access Security in ftp://ftp.3gpp.org/Specs/2000-
CDMA2000, Including a Comparison with UMTS 12/R1999/33_series/33102-370.zip
Access Security. IEEE Wireless Communications.
[19]3G TR 21.905 Vocabulary for 3GPP
February 2004.
Specifications
[4] Hawkes, P., Rose, G, 2009. Analysis of the
http://www.quintillion.co.jp/3GPP/Specs/21905-
Milenage Algorithm Set. Qualcomm Incorporated.
010.pdf
[5] CDMA Development Group. www.cdg.org (12-7-
2007) [20]ITU-T, 2006. Security in ORYX. Lecture Notes
[6] Millan, W., Gauravaram, P., 2007. Cryptanalysis In Computer Science; Vol. 1556.
of the Cellular Authentication and Voice Encryption
Algorithm. IEICE Electronics Exprss, Vol.1, No. 15.
[7] Goldberg, I., Briceno, M., 2007. GSM Cloning.
www.isaac.cs.berkeley.edu/isaac/gsm-faq.html (12-7-
2007)
[8] Wagner, D., Schenier, B., Kelsey, J., 1997.
Cryptanalysis of the Cellular Message Encryption
Algorithm. Proceedings of Crypto 1997.
[9] Frodigh, M., Parkvall, S., Roobol, C., Johansson,
P., Larsson, P., 2001. Future-Generation
Wireless Networks. IEEE Personal Communications.
Vol. 8, Issue 5, October 2001.
[10] Barkan, E., Biham, E., Keller, N., 2003. Instant
Ciphertext-Only Cryptanalysis of GSM Encrypted
Communication. Proceedings of Crypto 2003.